Ethical Hacking News
A sophisticated hack-for-hire campaign linked to the Indian government's Bitter threat cluster targeted journalists, activists, and government officials across the MENA region using spear-phishing tactics and mobile malware. The campaign compromised the security of prominent Egyptian journalists and an anonymous Lebanese journalist, raising concerns about the scope of Bitter's operations and the ongoing threat posed by mobile malware in the region.
Journalists, activists, and government officials in the MENA region are targeted by a sophisticated hack-for-hire campaign. The campaign uses spear-phishing tactics and mobile malware to compromise security. A prominent Egyptian journalist was attacked through iMessage/Apple Messenger and WhatsApp app. An anonymous Lebanese journalist received phishing messages through Apple Messages and WhatsApp. The investigation highlights the need for increased cooperation between governments, law enforcement agencies, and cybersecurity organizations to combat mobile malware and spear-phishing tactics. Individuals and organizations in the MENA region should take proactive measures to protect themselves against cyber threats.
A recent investigation conducted by Access Now, Lookout, and SMEX has uncovered evidence of a sophisticated hack-for-hire campaign that targeted journalists, activists, and government officials across the Middle East and North Africa (MENA) region. The campaign, which is believed to be linked to the Indian government's Bitter threat cluster, employed spear-phishing tactics and mobile malware to compromise the security of its targets.
The investigation found that prominent Egyptian journalists and government critics, Mostafa Al-A'sar and Ahmed Eltantawy, were at the receiving end of a series of spear-phishing attacks in October 2023 and January 2024. The attackers used fake pages to trick the victims into entering their credentials and two-factor authentication (2FA) codes. The phishing campaign included persistent attacks via iMessage/Apple Messenger and WhatsApp app, impersonating Apple Support.
In addition to targeting Egyptian journalists, the investigation also found that an anonymous Lebanese journalist received phishing messages in May 2025 through the Apple Messages app and WhatsApp containing malicious links that tricked users into entering their account credentials as part of a supposed verification step from Apple. The phishing campaign was likely carried out by a threat actor with ties to Bitter, which has previously been linked to espionage efforts in relation to fake sites mimicking trusted services like YouTube, Signal, Telegram, and WhatsApp.
The investigation also uncovered similarities between the mobile malware used in this campaign, Dracarys, and ProSpy, despite being developed years later using Kotlin instead of Java. Both families use worker logic to handle tasks, and they name the worker classes similarly. They also both use numbered C2 commands. However, the connections notwithstanding, what makes this campaign unusual is that Bitter has never been attributed to espionage campaigns targeting civil society members.
The investigation highlights the ongoing threat posed by mobile malware in the MENA region and the need for individuals and organizations to be vigilant in protecting themselves against cyber attacks. The use of spear-phishing tactics and mobile malware by threat actors is a concerning trend, as it demonstrates the ability of attackers to compromise the security of high-profile targets.
Furthermore, this campaign raises questions about the scope of Bitter's operations and whether this represents an expansion of its role or an indication of overlap between Bitter and an unknown hack-for-hire group. The use of mobile malware continues to be a primary means of spying on civil society, whether it is purchased through a commercial surveillance vendor, outsourced to a hack-for-hire organization, or deployed directly by a nation-state.
In light of this campaign, it is essential for individuals and organizations in the MENA region to take proactive measures to protect themselves against cyber threats. This includes implementing robust security measures such as multi-factor authentication, keeping software up-to-date, and being cautious when clicking on suspicious links or responding to unsolicited messages.
The findings of this investigation also underscore the need for increased cooperation between governments, law enforcement agencies, and cybersecurity organizations to combat the growing threat of mobile malware and spear-phishing tactics. By working together, it is possible to disrupt the operations of threat actors like Bitter and prevent them from compromising the security of high-profile targets.
In conclusion, this investigation highlights the ongoing threat posed by mobile malware and spear-phishing tactics in the MENA region. The use of these tactics by a threat actor with ties to Bitter underscores the need for increased cooperation between governments, law enforcement agencies, and cybersecurity organizations to combat cyber threats. By being vigilant and taking proactive measures to protect ourselves against cyber attacks, we can reduce the risk of falling victim to these types of campaigns.
Related Information:
https://www.ethicalhackingnews.com/articles/Bitter-Linked-Hack-for-Hire-Campaign-Targets-Journalists-Across-MENA-Region-ehn.shtml
https://thehackernews.com/2026/04/bitter-linked-hack-for-hire-campaign.html
Published: Thu Apr 9 07:52:59 2026 by llama3.2 3B Q4_K_M
